High and medium vulnerabilities found in deps Engine.io + glob-parent.

[mejiaj]

Issue details

Snyk scan found the following vulnerabilities with dependencies.

✗ High severity vuln found in engine.io@3.5.0, introduced via browser-sync@2.26.14
    Description: Denial of Service (DoS)
    Info: https://snyk.io/vuln/SNYK-JS-ENGINEIO-1056749
    From: browser-sync@2.26.14 > socket.io@2.4.0 > engine.io@3.5.0

✗ Medium severity vuln found in glob-parent@5.1.1, introduced via browser-sync@2.26.14
    Description: Regular Expression Denial of Service (ReDoS)
    Info: https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
    From: browser-sync@2.26.14 > chokidar@3.5.1 > glob-parent@5.1.1

Steps to reproduce/test case

Please provide necessary steps for reproduction of this issue, or better the
reduced test case (without any external dependencies).

Please specify which version of Browsersync, node and npm you're running

• Browsersync [ 2.26.14 ]
• Node [ 14.15.4 ]
• Npm [ 6.14.9 ]

Affected platforms

• linux
• windows
• OS X
• freebsd
• solaris
• other (please specify which)

Browsersync use-case

• API
• Gulp
• Grunt
• CLI

If CLI, please paste the entire command below

N/A

for all other use-cases, (gulp, grunt etc), please show us exactly how you're using Browsersync

N/A

[cronon]

I see engine.io already patched their library, unfortunately the patch leads to breaking changes so they publish it in version 4
socketio/engine.io#612

[lachieh]

This is the original issue, but #1850 has more details and more people are following it